Troubleshooting

High security mode

New Relic's default APM agent settings provide a high level of security. However, you may need to guarantee that even if the default APM agent settings are overridden to be more permissive, no sensitive data will ever be sent to New Relic. If this is the case, then you will want to turn on APM's high security mode.

Account level

High security is an account level feature. If you choose to turn on high security, you must enable high security for all applications reporting to the account. High security must be set on each individual account. Sub-accounts do not automatically inherit the high security setting when it is enabled on the master account.

If the agent is configured for high security locally but not in New Relic's collectors, then the agent connections will be rejected, and the agent will shut down. This will not shut down your application.

Remote

To set high security through the New Relic user interface: Use the following URL, replacing ACCOUNT_ID with your New Relic account ID:

https://rpm.newrelic.com/accounts/ACCOUNT_ID/high_security

If the agent is configured for high security on New Relic's collectors but not locally, then the agent connections will be rejected and the agent will shut down. This will not shut down your application.

Results of enabling high security v2

Once enabled, high security v2 ensures the following for your account:

Feature

Comments

Requires agents to use a secure connection (HTTPS)

High security mode requires a secure (HTTPS) connection. Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure all data in transit per the latest industry standards.

Prevents HTTP param capture

High security mode does not allow HTTP params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send HTTP params locally or through server-side configuration, high security mode will override the configuration to never capture HTTP params.

Prevents message queue param capture

High security mode does not allow message queue params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send message queue params locally or through server-side configuration, then high security mode will override the configuration to never capture message queue params.

Prevents raw query statement capture

High security mode does not allow raw database query statements, which may contain sensitive customer data, to be captured. If the agent is configured to capture raw queries locally or through server-side configuration, then high security mode will override the configuration to never capture raw queries.

Prevents user attribute capture

High security mode does not allow attributes set using each agent's API to be captured, as these may contain sensitive customer data. For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

NewRelic.addCustomParameter(String key, String value)

NewRelic.addCustomParameter(String key, Number value)

NewRelic.setUserName(String name)

NewRelic.setAccountName(String name)

NewRelic.setProductName(String name)

Prevents noticeError attribute capture

High security mode does not allow attributes set using each agent's noticeError API call to be captured as these may contain sensitive customer data. For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

NewRelic.noticeError(String message, Map<String, String> params)

NewRelic.noticeError(Throwable throwable, Map<String, String> params)

Prevents custom events

High security mode does not allow custom events to be created using the agent API, as these may contain sensitive customer data. For example, in the .NET agent, the API call RecordCustomEvent will be blocked.

Enable the first version

The original version of high security only requires you to enable high security through the New Relic user interface. Use following URL, and replace ACCOUNT_ID with your New Relic account ID:

https://rpm.newrelic.com/accounts/ACCOUNT_ID/high_security

Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.

Results of enabling high security v1

Once enabled, high security v1 ensures the following for your account:

Feature

Comments

Requires agents to use a secure connection (HTTPS)

High security mode requires an encrypted connection (HTTPS). Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure that all data in transit is encrypted as per the latest industry standards.

Prevents HTTP param capture

Agents configured to capture HTTP params, which may contain sensitive customer data, are not allowed to connect to New Relic. If the local configuration is set to capture request parameters, then New Relic's collector will reject the connection, and the agent will shut down.

Prevents raw query statement capture

Agents configured to capture raw database query statements, which may contain sensitive customer data, are not allowed to connect to New Relic. If the agent is configured to capture raw queries locally or through server-side configuration, New Relic's collector will reject the connection and the agent will shut down.

Migrate from version 1 to version 2

These are the main differences between the two versions of high security:

In order to make high security even more secure, high security must be enabled in the New Relic user interface and in the local New Relic configuration file. High security v1 only required high security to be set in the New Relic UI.

User attributes, noticeError attributes, and message queue parameters are turned off with high security in version 2, but not in version 1.

To update from v1 to v2, add high_security: true to your local configuration file.